Medical identity theft has long been an issue for hospitals, and a serious problem not only for patient safety, but for a hospital's bottom line.
Most hospitals have problems with medical overlays (when one patient record is overwritten with data from another patient's record) - caused by forging, theft, or sharing of key identifiers like social security numbers and names. If a patient is treated based on the wrong medical record, not only is the patient at serious medical risk, but the organization faces potential lawsuits, which can have disastrous financial consequences. Another consideration of authenticating patient identity is time; registrars often waste valuable hours re-entering data each time the patient presents.
When it comes to authenticating patients' identity while protecting their privacy, many feel the healthcare sector lags behind other industries. In January, the Office of the National Coordinator in Washington released a report on medical identity theft, noting that patient authentication can be one of the simplest ways to it. One solution is biometrics.
Long seen as the stuff of science fiction, many equate biometric security technology with Mr. Spock opening a port door with the wave of a hand. But at several hospital systems, the future is here, with palm vein authentication as an easy-to-implement solution. “It would require no, or very little, user training,” says Sally Hudson, research director, security products and services for IDC consultants, Framingham, Mass. “Getting up and running quickly is a cost savings.”
Hudson also says that it can help hospitals obtain HIPAA certification and comply with new Federal Trade Commission anti-ID theft regulations. The regulations, which the FTC says it won't enforce until May 1, 2009, are commonly known as “red flag” rules and apply to most healthcare providers.
Palm vein authentication technology utilizes a scanner to “read” the vein in a patient's palm using an infrared light. It then matches the patient's biometric template against a database of enrolled users. The scan is assigned a number that is matched with the patient's medical record, eliminating the need for patients to repeatedly provide confidential information, and reducing the time registrars need to check a patient in. With the palm scanning system, once a patient's information is collected on the first visit, it remains permanently in the system. The technology, known in the United States as PalmSecure, was developed by Fujitsu (Sunnyvale, Calif.,) and is fairly common in Asia, where it is has been used at ATMs for about five years.
Here in the U.S., Craig Richardville, CIO of the 23-hospital system Carolinas Healthcare (based in Charlotte, N.C.), was the first to pioneer it in the healthcare setting for patient safety and privacy.
Using it as a unique patient identifier was part of his implementation strategy for the system's Kansas City, Mo.-based Cerner Millennium EMR. “As things become more automated and online, making sure those records are lined up becomes even more critical,” Richardville says. “We wanted to make sure we had something in place before we started to roll out the EMR - it went hand in hand.”
With such a large heath system, Richardville says he needed to ensure that patients coming into the system from any point of access could be accurately identified and matched to the correct patient record - no small feat with more than 300 physical locations. Richardville's research led to an investigation of different biometric technologies, during which he found that fingerprint scanning wasn't accurate enough and retina scanning was too invasive.
Hudson agrees that palm vein authentication has a better reputation than fingerprinting, especially in the medical community. “It's more reliable and not as vulnerable to whether someone is wearing lotion.” By most estimates, about 2 percent of people don't have readable fingerprints; anything from a missing finger to dry skin can throw off a fingerprint, she says.
The technology is scoring high points with patients. According to Lindsey Jarrell, CIO at BayCare Health System a nine-hospital-system based in Tampa, Fla., what they like best is the privacy. Patients no longer have to recite their name, social security number or other identifying information at a desk. Instead, they simply put their hand on the PalmSecure cradle. “We still make a copy of their license and insurance card for insurance filing purposes,” says Jarrell, “but you no longer have to have that conversation.”
At BayCare, Jarrell has had such a positive reaction from patients that he is now enrolling visiting family members to increase the size of the PalmSecure database. “You might be a family member today and a patient tomorrow,” he says, adding that the family members are often eager to enroll once they see the technology in action.
But is the ROI on such a novel technology something to bring to the Board? And is it an easy sell? Those already using palm scanning say yes.
“In addition to patient safety, our principal driver was cost avoidance (from lawsuits), by eliminating duplicate medical records and the potential of medical overlays,” Jarrell says. “One negative outcome for one patient because of medical records being overlaid, and that's millions of dollars, easily.”